Microsoft is releasing a patch as part of its monthly security updates that should be noted. The cirtical vulnerability is known as CVE-2012-002, and it boils down to an exploit in RDP that could allow an attacker to gain access via RDP without authenticating.
The issue is potentially reachable and accessible as RDP is enabled through many firewalls for remote management, and an attacker could reach the network in question before authentication is required. Microsoft privately self reported the problem first and noted that they have not seen it in the wild, but followed up with a comment on Technet, that they do expect to see an exploitable execution code within the next 30 days.
Steps to resolve the issue:
1. Apply the update on machines with RDP enabled
2. Enable Network Level Authentication (NLA) on Windows Vista or later machines. Here is a direct link to Microsoft’s Fix It 50844
- The Fix IT above is a simple MSI package that enumerates each of the “listener” registry subkeys under HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations and sets the “UserAuthentication” REG_DWORD to 1
Note: Enabling NLA will prevent older cilents (XP & Server 2003) from connecting because they do not support NLA. If you need to initiate an RDP connection from an XP client, be sure to install the CredSSP.
For more information, please visit Microsoft’s Technet Article for the latest.